Most likely, your boss did look at your private email messages and other personal information (because his other explanation doesn't make sense unless he's really incompetent). Consider the information you had on there compromised. The cookies, the passwords, keys, etc. Assume he was able to recover them. Change them all. And assume that he's going to do the same thing over again.
– Stephan BranczykOct 7 '16 at 1:40

28

I don't know how big your company is, but if you have dedicated IT staff, you should ask them if this is a legitimate use of the admin account (and whether your boss should even HAVE access to the admin account). If he's resetting your password via offline means (via ntpasswd boot USB for example) that's almost certainly a violation of IT policy, assuming your company is large enough to have a formal IT policy.
– Doktor JOct 7 '16 at 19:16

4

If he has to reset the password, then your company isn't doing things right. There should be software that audits use of the system, your boss resetting your password and accessing your account to audit is simply wasting valuable time and may be breaking I.T policies to boot.
– AStopherOct 7 '16 at 21:42

It's more serious than petty concerns over pirated movies. "I didn't embezzle that money/steal that source code and sell it/commit that felony hack/etc., my boss did, using my account". Thus, it should concern everyone - the OP and boss for both being potentially culpable for any malfeasance done with the user's account, and the company for not being able to attribute actions on the OP's account to the account owner.
– HopelessN00bOct 6 '16 at 14:42

6

"He should have access to the computer, but not the accounts. " Most large US government agencies follow this approach.
– Mark RogersOct 6 '16 at 15:30

1

This answer is spot on but OP still can't solve his situation. I suggest adding a suggestion to explicitly give boss an account on the machine which can access the development folders and educate boss about the git --author command or whatever their version control system's equivalent is, so boss doesn't need to log in as OP to achieve his goal.
– SumyrdaOct 6 '16 at 17:50

11

@Sumyrda True, but only if you give credibility to his boss' explanation, Does he like untested, broken code? The solution would be a policy that you need to check in any work in progress at the end of the day in a branch, which is easily verified.
– jimm101Oct 6 '16 at 18:06

Check your IT policy, most places have a rule that this is not ok, ever.

Two things to think about:

if you were discussing a complaint about your boss with HR, they would be able to find out.

if your boss has access to you machine and breaks something, it will appear to have been you that did it.

In every place I have ever worked, this behaviour is completely against company policy for the reasons outlined above. It opens the company up to potential legal issues should they ever decide to dismiss you.

+1 for making the point that the person going in can cause trouble and it will appear as if the OP did it. There is nothing wrong with the boss going in as ADMIN, but not as the user. As you said, some places have IT policies that are much more restrictive where only an IT Admin Is authorized to go into the machines. Personally, I smell a rat.
– Retired CodgerOct 6 '16 at 13:26

So I take it boss is coming in as an Admin and resetting your password so he can log in as you. The act of resetting a password is recorded. The account that resent you password is recorded along with the time.

This just makes no sense. If he can come in as Admin then he can view all files. There is no purpose to log in as you unless the intent is to impersonate you.

The reason he gives is

He wants to know if there is anything uncommitted in my computer, so
he can commit in my name.

That is not a reasonable purpose. If the code was ready to commit then you would have committed it. If he wants to commit the code then he should do it under his name.

I get maybe an emergency build but not accepting this should happen on a regular basis.

It is company equipment so in US probably legal. It would not pass any legitimate IT policy. A user not in IT to have Admin rights is not common. For developers some times they are in IT and some trusted developers are given Admin rights but they are expected to not use those writes to change passwords and log in as that person.

Usually a developer has admin rights on his own box only, not admin rights to log into other people's boxes. This sounds like a small company where they don't have a real IT dept, and the owner/boss person has domain admin rights, which is just bizarre.
– BrainSlugs83Oct 8 '16 at 6:22

Others have already mentioned why someone committing code without knowing why you didn't do it is stupid and that using your account is high probability against company policy. In some jurisdictions illegal.

But you hinted that your primary concern is stored passwords. Put them in a password manager program that requires a "master password" (which only you know) to get to them, such as password1 or KeePass (or Firefox). And if possible, put that app and its DB on a USB stick.

Do those passwd managers have an option to forget the master PW on hibernate/resume? If not, you def. need your passwords on a USB stick.
– Peter CordesOct 8 '16 at 2:49

I know nothing about password1. KeePass I used four years ago, so it may have changed. You launch it, enter the master password, grab the stored password you want, and then close it. FireFox, you have to enter the master password at least once each browser launch before you can get to the stored ones.
– WGroleauOct 8 '16 at 3:41

If a password manager is not an option, then at least an encrypted file. With existing software you should be able to make an encrypted zip, or excel file.
– Dennis JaheruddinOct 8 '16 at 14:26

And if an encrypted file, I would also recommend that be on a USB stick. (Which, of course, you take with you when you leave!)
– WGroleauOct 8 '16 at 15:50

2

With LastPass, I have the session logged out after X minutes of idle time. Usually I keep this low, like 3 minutes or something. You can also use two-factor authentication to prevent login without both the password and the hardware component (e.g. OTP app on your phone, SMS, or something like Yubikey). Those are available to free-tier accounts. You should also be using passwords on your SSH keys, so that pushing any changes is impossible without the key password. It is only slightly inconvenient, but you know what is more inconvenient? Being framed for embezzlement by your boss.
– L0j1kOct 10 '16 at 5:18

As you pointed out, the company owns the computer. Since they own the computer, your manager or anyone with the authorization and admin rights can log into your computer as long as they aren't abusing the access in such a way to jeapoardize your job. Rule of thumb is don't keep your personal financial information or resumes on your computer. Let work be work so as to not just protect your personal information but to limit the damage that can be done if someone with access did attempt malicious activity under your name.

In one of my previous environments, it was commonplace for managers to access their employees computers because people kept project files and customer mortgage documents locally on their machine; so when that person was out sick and the customer needed to change their closing date, a manager had to access that employees computer to get the original document. Archaic system I know, but that's just one case of legitimate reason a manager would need to access an employees computer.

there's a big difference between using the computer and using your individual account. Almost every company with a policy for this has a policy that you never log in to another user's account without their presence or without specific access granted by the IT dept. Otherwise, there is no way to prove that anything done on somebody's account was actually done by that person.
– KazOct 6 '16 at 13:20

12

@Kaz Yep, MAJOR security breach. I know several employers that would march that manager right out for pulling that maneuver
– Retired CodgerOct 6 '16 at 13:35

1

There's no problem on access company's computers by admin staff. On THEIR ACCOUNT. This is not the case here.
– Fabricio AraujoOct 7 '16 at 20:51

In the UK, by default this would NOT be acceptable. Your boss would be entitled to monitor your work activities, but if you had logged into your personal email account, your boss would not be entitled to monitor that.

However, to counter this, it is standard practice to include a clause in your contract or acceptable use policy that says "company equipment cannot be used for personal use". If that clause is present, then your boss IS entitled to monitor all usage of a work computer.

Many countries have similar laws to the UK, but there are notable differences. For example, in Germany you have a stronger right to privacy.

Source: I've worked in infosec for some years and have learned this on various courses I've attended (e.g. SANS). I'm afraid I don't have links immediately to hand, but you should be able to find them easily enough.

+1 I have worked at companies where having anything of a personal nature on the firm's PC would be regarded as a serious offence. Although this was some time ago - before the days of BYOD, and in fact B'ing YOD and plugging it into the company network would have been viewed as an even more serious offence.
– peterGOct 8 '16 at 21:37

@peterG - One of the concerns with BYOD is the company doesn't have a "right to audit". Some companies make you sign over a right to audit before using a BYO device. More commonly, they only allow remote desktop (or similar) access from a BYO device, so actions relating to company data can be audited on the server.
– paj28Oct 9 '16 at 8:25

Note that the JohnHC answer above "your boss can see any messages between you and HR" makes the personal/work distinction somewhat less clear than your answer suggests. Is your immediate manager entitled to monitor the progress of your complaint about him? Or worse, reply to those emails using your account/name?
– MóżOct 10 '16 at 3:20

@Móż - That's an excellent point, and one I fear the SANS trainer hadn't considered. In practice, HR have an aversion to email for sensitive issues, but this is more because emails can be misinterpreted rather than confidentiality.
– paj28Oct 10 '16 at 7:03

The simple answer is don't store your passwords on your computer or use some kind of keychain application that doesn't use the login password system.

As other people have mentioned, your manager is probably not compliant with IT security policy. It might be worth tactfully mentioning to your IT support that your password has been reset on multiple occasions and let them take whatever action.

Something missing from the other answers so far, is that in the case of uncommitted changes, it should not be your boss who commits them and that is not a reasonable excuse. I'm thinking in terms of software development versioning systems but this is equally applicable to legal documents or other "vital" work that might need to be committed in a timely fashion: how does your boss know that the changes are complete, tested, verified, ready, etc ?

Level 1: Does my manager have the right to access MY work computer? That depends. Your company will have defined what rights anyone in the company has. Your manager has that right if the company says he has the right, and he doesn't have the right if the company says he doesn't. I would agree with my manager accessing my computer let's say if I had an accident and there was important information only on my computer. If it happened without a very good reason I would be very, very angry and that wouldn't be a good thing.

Level 2: What about my privacy? Depending on the country where you are, private information may be strongly protected, even if it is on a computer owned by the company and that shouldn't be on that computer. Or it may be totally unprotected on your work computer.

Level 3: Legalities. And here we have a big, big, red flag. The CEO of your company has no right whatsoever to access the computer of his accountant. Your manager has no right whatsoever to commit changes under your name. As a software developer, the uncommitted code on my computer is under development, and at any point in time it could be in a state that could be between costly and fatal if committed and shipped to customers. (I might write software that ships goods to customers, sends a bill to the customer, and records that the customer owes the company money. If only two of these three parts are finished, and my boss commits this unfinished work, that would be fatal). There are many industries where access to data is strictly controlled and what the boss is doing here could cause criminal charges and enormous liability for the company.

You enter a password on a private computer, hence it may or may not be available to its owners. If there is a domain set up, it may or may not be in plaintext on the domain controller already. The password is not your secret, it is a shared secret. Shared secrets allow for trusted and possibly encrypted channels to be established. That's not your identity!

It's my company, I may as well set up an account with identical user names and passwords on each of my computers, which everybody knows, and who is to say its not within my right to do so? I worked in such an environment, there was no trouble whatsoever. It's not your call.

Putting someone's real name in the real name field of some domain account changes nothing, it is not nearly enough to prove anything in court. No, even if your boss have not ever logged in (which is basically improvable), that IT guy fed up with stupid stuff probably has superuser rights and could do whatever he wants and no one will ever know.

The idea that company-generated credentials automating authentication and delivery of access to company-owned infrastructure and information that the company willingly shared with you to automate some work processes in the way the company sees fit somehow entitles you to anything is blatantly, irrefutably absurd.

The company can set up whichever automation and authentication procedures it wants and yes, your boss can do whatever they wants. Unless, of course, their boss says they can't, then you go to their boss.

Surely, nothing implies whether these are some good or bad practices in some particular senses. That's for the company to decide, not you.

Surely again, if we're talking some kind of fraud, that's whole other issue. Logging into your company-provided e-mail account may be A-OK, but sending an e-mail to your wife with your signature at the end is not.

Please notice it is not necessary to log into any of "your" accounts to do so, but that still constitutes wrongdoing.

Committing the code you wrote in working hours on company's private computer, which you got paid for, to company-owned repository and build farm is A-OK (from whichever corporate account the company wants it committed from), but adding malicious backdoor code and then claiming you did it is not.

Please notice it is not necessary to log into any of "your" accounts to do so, but that still constitutes wrongdoing.

Here's another downvote. Yes, IT guys have superpowers and could do all sorts of nasty things if they go rogue; however, this question is about the OP's boss, for whom there really is no good reason whatsoever to impersonate the OP. Yes, it's possible (if unlikely) that this is within company policy, but it's still terrible policy.
– jpatokalOct 6 '16 at 19:46

Do not engage in "edit wars". That statement was 100% inappropriate for an answer (and would be best not even left as a comment), and should be removed. You do not "own" your answer. Furthermore, comments are liable to be deleted at any time for any reason and without notification, especially when they are just pointless bickering; if you have a problem with that, then this may not be the site for you. Fortunately, there are plenty of other websites (and real life places) to choose from!
– Lightness Races in OrbitOct 8 '16 at 12:30

1

Since the accounts are supposedly shared how does org monitor usage by personnel other than user the account was created for? Excel spreadsheet? I am also going to assume that safest way to avoid misuse of such lovely practice on pinky swear Huzzah in front of HR rep?
– CthulhubuttOct 8 '16 at 14:03

4

@dbanet stop rolling back that edit. Answers are for answers, not for meta-commentary on voting.
– Monica Cellio♦Oct 9 '16 at 2:23

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).